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Abstract 

ePORT (electronic Project Online Risk Tool) provides a systematic approach to using an electronic 
database program to manage a program/project risk management processes. This presentation will briefly 
cover the standard risk management procedures, then thoroughly cover NASA’s Risk Management tool 
called ePORT. This electronic Project Online Risk Tool (ePORT) is a web-based risk management 
program that provides a common framework to capture and manage risks, independent of a 
programs/projects size and budget. It is used to thoroughly cover the risk management paradigm 
providing standardized evaluation criterion for common management reporting. ePORT improves 
Product Line, Center and Corporate Management insight, simplifies program/project manager reporting, 
and maintains an archive of data for historical reference (ref. 1). 

Introduction 

Proactive fundamental managing processes are essential in preventing potentially detrimental 
consequences. From a program’ s/project’s (P/P) conceptual phase to its disposal, it is imperative that 
potential negative events are identified early to ensure appropriate mitigation processes are implemented 
to reduce or eliminate prospective negative impacts. It is imperative that since all P/P are dynamic; the 
Risk management (RM) process should therefore be fluid and continuously updated as the schedule 
progresses. 

Disciplines, be they engineering, social, academia and the like all have unique Risk associated with them 
and can utilize a RM approach as they see fit. Therefore, the term program/project “P/P” encompasses all 
disciplines and is used as such during this discussion. In addition, though this paper discusses only 
ePORT, the RM practices for ePORT can be utilized in other programs as well. 

At no time in the history of the human race has the pace of technology increased as it has these past one 
hundred years. As the technology development has increased exponentially, Risks associated with this 
shift has increased accordingly. Fortunately, commercially available computer programs exist today that 
can assist with the RM processes. This paper is designed to discuss one such program developed and 
utilized at the United States National Aeronautics and Space Administration (NASA) George C. Marshall 
Space Flight Center (MSFC) in Huntsville, Alabama. It is called ePORT for electronic Project Online 
Risk Tool. It is used extensively at NASA and is for internal use only, not for sale or deployment. 
However, the program serves as an example of how others might employ a similar tool in their RM work. 

History 

By early 2001, several independent studies were reporting insufficient RM practices at NASA (e.g., 
Faster, Better, Cheaper Task Force; Mars Climate Orbiter Mishap Investigation Board; NASA Integrated 
Action Team). MSFC Systems Management Office (SMO) reacted to the Agency’s and Center’s refocus 
on RM by meeting with MSFC Safety and Mission Assurance (S&MA) and P/P Risk managers across 
MSFC and at other NASA Centers to assess available RM tools. This assessment highlighted a general 
conclusion that no cost-effective, robust, cross-platform tools were available that fully met P/P needs. 
Because of this condition, larger initiatives would build their own database systems from scratch at 
significant cost while smaller initiatives struggled to effectively manage Risks due to the lack of funds. 
Since one of SMO’s chartered functions was to “Direct the development of standard processes, tools, and 
guidelines for P/P management...,” it was decided to add the RM Module to the ePORT requirements. 



From July 2001 to November 2002, SMO worked with NASA Headquarters (HQ) and other NASA 
Centers to develop recommendations for the Agency Project Management Council (PMC) to establish a 
common approach for health status and Risk management reporting. In February 2002, SMO completed 
successful Operational Readiness Review of ePORT Core and made version 1.0 available to MSFC P/P 
(ref. 2). 

Some key tenets to ePORT development were that the P/P Managers should own their assessments and be 
maintained at least one level lower than required by management to improve accuracy in reporting. Any 
common reporting criteria should be used where established. 

ePORT allows the users to download reports in formats that can be easily incorporated into standard 
applications [portable document format (.PDF) or Microsoft Excel (.xls)]. The tool provides benefits to 
P/P, not just upper management, and allows managers as much flexibility as possible for data 
organization and access control, see Figure - 1 (ref. 3). 
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Figure - 1, ePORT Risk Management Flow 
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Before describing the ePORT program, a brief explanation 
of the RM process is in order. Continuous Risk 
Management (CRM) is a practice with processes, methods, 
and tools for managing Risks in a P/P. CRM as discussed 
in this paper for ePORT is based largely on the CRM 
process developed by the Carnegie Mellon University 
Software Engineering Institute (ref. 4) and provides a 
disciplined environment for proactive decision-making to 
access continuously what could go wrong (Risks), 
determine what Risks are important to deal with, and 
implement strategies to deal with those Risks. A simple 
RM paradigm is shown in Figure - 2. A thorough and 
more informative breakdown of the Continuous Risk 
Management Process Flow is seen in Figure - 3 (ref. 5). 



Figure - 2, Risk Management Paradigm 
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Figure - 3, Continuous Risk Management Process Flow 


As indicated in the CRM Process Flow chart above, the six steps to a thorough CRM process begins with 
Identify and progresses through Analyze, Plan, Track, Control, and Communicate and Document: 

Identify! Beginning with Identify, where the P/P considers Risks before they become a Problem. Anyone 
in a P/P can Identify Risks because each individual has particular knowledge about various parts of a P/P. 
During Identify, uncertainties and issues about the P/P are transformed into distinct (tangible) Risks that 
can be described and measured. The aim for the Risk statement is that it be clear, concise, and 
sufficiently informative so that the Risk is easily understood. The Risk statement should follow the 
following standard two part format: 












Risk Statement: given the <condition> there is a possibility that <consequence> will occur (ref. 6) 


Analyze : The purpose of Analyze is to convert the data into decision-making information. Analyze is a 
process of examining the Risks in detail to determine the extent of the Risks, how they relate to each 
other, and which ones are the most important. Analyzing Risks has three basic activities: Evaluating the 
attributes of the Risks (impact, probability, and timeframe), Classifying the Risks, and Prioritizing 
(ranking) the Risks. 

Evaluating: The first step provides better understanding of the Risk by qualifying the expected impact, 
probability, and timeframe of a Risk. This involves establishing values for: Probability : The likelihood 
the Risk will occur; Impact : The loss or negative affect (consequence) on the P/P should the Risk occur; 
and Timeframe : The period when you must take action in order to mitigate the Risk. 

Classifying : The second step allow placing each Risk in decision making corresponding fields. This 
enables the P/P to group identified Risks in specified disciplines so the Risk is assigned to the appropriate 
personnel. 

Prioritizing : In Prioritizing Risks, the P/P can evaluate the Risks that pose the highest concern. Here the 
amount of effort and/or time when to begin actions to work on the Risk is decided. 

Figure - 4 demonstrates Sample Attribute Values that might be used to evaluate Risks (ref. 7). 
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Figure - 4, Sample Attribute Values 

Plan: Planning is the function of deciding what, if anything should be done about a Risk or set of related 
Risks. In this function, decisions and mitigation strategies are developed based on current knowledge of 
P/P Risks. 























The purpose of Plan is to: Make sure the consequences and the sources of the Risk are known; Develop 
effective Plans ; Plan efficiently (only as much as needed or will be of benefit); produce, over time, the 
correct set of actions that minimize the impacts of Risks (cost and schedule) while maximizing 
opportunity and value; and, Plan important Risks first. 

Figure ■- 5 indicates the potential approaches to Risk Planning. 



Figure - 5, Planning approaches 


There are four options to consider when planning for Risks: (1) Research: establish a plan to research the 
Risk(s); (2) Accept: decide to "accept” the Risk(s) and document the rationale behind the decision; (3) 
Watch: monitor Risk conditions for any indications of change in probability or impact (tracking metrics 
must be established and documented); and (4) Mitigate: allocate resources and assign actions in order to 
reduce the probability or potential impact of Risks. This can range from simple tasking to sweeping 
activities: (a) Action Items: a series of discrete tasks to mitigate Risk and (b) Task Plan: formal, well- 
documented and larger in scope (ref. 8). 

Track: Tracking is the process by which Risk status data are acquired, compiled, and reported. The 
purpose of Track is to collect accurate, timely, and relevant Risk information and to present it in a clear 
and easily understood manner to the appropriate people/group. Tracking is done by the Risk owner who is 
responsible for monitoring "watched" or "mitigated" Risks. Tracking status information become critical 
to performing the next function in the Continuous Risk Management paradigm, i.e. Control. Supporting 
information, such as schedule and budget variances, critical path changes, and project/performance 
indicators can be used as triggers, thresholds, and Risk - or plan-specific measures where appropriate. 

Example- 1: A program metric might look at the rate of module completion. If this metric indicates that 
the rate of completion is lower than expected, then a schedule Risk should be identified (ref. 9). 

Example-2: A program may set upper and lower boundaries as the limiting factors which can establish a 
false sense that all is going well when it actually may not be. For example, if the trends are stabilized 
near the upper boundary and they begin to fall, concern that a Problem might occur may not be flagged 
until the lower boundary is passed. At this point it may be too late. However, by monitoring the rate of 
change and understanding why the rapidly increasing rate of change is occurring the P/P can take 
appropriate action to prevent a problem from taking place. 

Control : The purpose of the Control function is to make informed, timely, and effective decisions 
regarding Risks and their mitigation plans. It is the process that takes in tracking status information and 
decides exactly what to do based on the reported data. Controlling Risks involves analyzing the status 
reports, deciding how to proceed, and then implementing those decisions. 

Decision makers need to know: (1) when or whether there is a significant change in Risk attributes and 
(2) the effectiveness of mitigation plans within the context of P/P needs and constraints. 





The goal is to obtain a clear understanding of the current status of each Risk and mitigation plan relative 
to the P/P and then to make decisions based on that understanding. Tracking data is used to ensure that 
P/P Risks continue to be managed effectively and to determine how to proceed with P/P Risks. Options 
include: Replan , Close the Risk, Invoke a Contingency Plan, and Continue Tracking and Executing the 
Current Plan\ 

Replan : A new or modified plan is required when the threshold value has been exceeded, analysis of the 
indicators shows that the action plan is not working, or an unexpected adverse trend is discovered. 

Close the Risk: A Closed Risk is one that no longer exists, has been overcome by events, or the Risk has 
become a Problem. When it becomes a Problem the event has occurred and it is now placed in a different 
category and is now tracked (see Problem section below). 

Invoke a Contingency Plan: A Contingency Plan is invoked when a trigger has been exceeded or some 
other related action needs to be taken. 

Continue tracking and executing the current plan: No additional action is taken when analysis of the 
tracking data indicates that all is going as expected or P/P personnel decide to continue tracking the Risk 
or mitigation plan as before. However, don’t forget about the rate of change example mentioned earlier 
(ref. 10). 

Communication and Documentation'. The purpose of Communicate and Document is for ALL personnel 
to understand the P/P Risks, mitigation alternatives as well as Risk data and to make effective choices 
within the constraints of the P/P. Communication and Documentation are essential to the success of all 
other functions within the paradigm and are critical for managing Risks. 

For effective Risk management, an organization must have open Communication and formal 
Documentation. Communication of Risk information is often difficult because the concept of Risk 
comprises two subjects that people don’t normally deal well with: probability and negative consequences. 
Documentation allows for the necessary paper (electronic) tracking capability for current P/P actions, 
simplifies P/P manager reporting, and maintains an archive of data for historical reference. 


Not only is effective Continuous Risk Management in jeopardy, but the P/P as a whole is in jeopardy 
when the environment is not based on open Communication. No one has better insight into Risks than P/P 
personnel, and management needs that input. Experienced managers know that the free flow of 
information can make or break any P/P. Open Communication requires: Encouraging free-flowing 
information at and between all P/P levels; enabling formal, informal and impromptu communication; and 
using consensus-based processes that value the individual voice, bringing unique knowledge and insight 
to identifying and managing Risks (ref. 11). 

Phase- 1: Where to begin 

In an ideal case study, before a P/P initiates an electronic RM system such as in this case ePORT, it is 
imperative that the essential P/P disciplines have been identified and personnel manning these disciplines 
are in place. Equally important is that the P/P be in its early stages of development. This will ensure the 
P/P will be heading in the most efficient direction from the beginning. Once the team is in place, the P/P 
manager would need to set aside a mandatory two day (minimum) off-site stand down for RM training for 
ALL personnel assigned to the P/P. This effort will ensure all team members are properly and thoroughly 
educated in the RM process equally and to relay any P/P updates prior to identifying P/P Risks. In 
addition, since ePORT will be utilized throughout the training, it is imperative that all team members 
attend regardless if they are familiar with the RM processes because they will be creating their personal 
accounts, taught how to navigate through ePORT, and learn how to input Risks. For efficiency purposes, 
an ePORT administrator should also be identified, present at; the training session, be well trained in 
ePORT beforehand, and be the designated P/P ePORT central point of contact. Each team member will 
begin to use the RM paradigm and correctly identify and state Risks as they are imputed into the ePORT 
system. The beauty of this process is three fold, at the end of the training ail team members are equally 
knowledgeable of the RM process, they will know how to independently submit Risks in their areas of 
expertise at any stage in the P/P life cycle (thus the term “Continuous” RM), and the P/P has established a 
team building event in the process. 



Phase-2: Using ePQRT 


Once the P/P team members complete the training course they will become experts in the RM process. 
Access to ePORT is limited to the P/P Manager or personnel designated as their representatives for either 
data entry or review. Each initiative is partitioned from the others to only allow access to approved 
members of the team or upper management. It is best that the users and Risk managers initiate access 
based on their P/P responsibilities. Clicking on the system requirements link takes the user to a new page 
detailing ePORT's system requirements and provides access to the latest version of software needed to 
view ePORT as well as some optional plug-ins. 

ePQRT System Requirements: ePORT was developed so that users would not be required to acquire 
special proprietary software except for normal freeware multimedia plug-ins in order to use the tool. The 
development team has a continuous objective to ensure the tool is platform independent. ePORT is 
designed to work consistently on PC and Macintosh platforms using Internet Explorer or Safari. While 
ePORT may work with older or newer versions of the software specified, it was designed and tested using 
the versions listed (ref. 12). 

Platform Browser 

Macintosh Safari 

Windows 2000, 2003, XP Internet Explorer 

Additional Plug-ins Adobe Reader 

The home page for ePORT has a primary main menu that is divided into seven major sections: Message 
Center, Profile, Risk, Problems, Reports, Help, Setup and Sign out. When selecting any one of these 
sections, sublinks are generated for specific areas of CRM operations for the P/P team members to use 
and are described below. 

Message Center: Returns the user to the initial main screen to view administrative messages pertaining 
to ePORT for the P/P users. As the P/P progresses, noted RM information that needs to be disseminated 
to the team is shown here. 

Profile: Links to a one-screen synopsis of the P/P containing Initiative Name (P/P name), the NASA 
Center for the P/P, Initiative Hierarchy of the P/P, and points of contact (names, phone numbers, email 
addresses) which are listed alphabetically. 

Risks: Contains tools for managing the initiative on a continual basis. By selecting [Risks], users gain 
access to a complete RM database to plan strategies for recognizing and mitigating potential threats to the 
initiative's success. Sub links include Add, Index, Status, 5x5 Grid, and Definitions: 
o Add: Contains the necessary blank fields for filling in each Risk. Red asterisk areas are mandatory 
fields before submitting and include Likelihood, Consequence (Cost, Schedule, Performance and 
Safety) all 1 to 5, Title, Statement, Team, Owner, Timeframe (Near Mid and Far), Approach 
(Research, Mitigation, Watch, Accept). Additional blank fields include Planned Closure Date, 
Context, Research Plan, Mitigation Plan, Watch Plan/Tracking Requirements, Management Plan and 
Status. One note here is to be careful when referencing web links, without any notice the link itself 
or sub-links within it could be deleted or worst case the information is outdated, incorrect and may 
lead you down the wrong path. It is best to refrain from using web links in any Risk statements, 
subsequent data, or in documentation. 

o Index: Is the page where the user can identify specific areas when performing selected criteria. It is 
basically a bean counter for the P/P. Here displays of the summary of all Risks by criticality are 
shown and it allows for P/P Risk integration and multiple ways to soft specific Risks. The user can 
draft Risks tailored reports from Approved Risks and Proposed Modifications (Mods) and 
automatically flag identity when proposed Mods exist. For example, if management wishes to have 
listed only Status (Open), Criticality (Medium), Timeframe, (Near), Approach (Accept, Research and 
Mitigate) only Risks, they only need to choose the said criteria and select [Search]. One can even 
choose the specified Risks via Owner, Teams, Category, Group and sort the list via Descending, 
Ascending or RID (Risk Identification Number). 

o Status: After selecting [Search] from the Index page, a list of the requested Risk appears. By 
selecting [Status], this list will now appear in criticality hierarchy previously selected in the Index 
page with each Risk having its designated Risk Plan and Approach shown. 



o 5x5 Grid : Shows where all approved Risked previously identified in the Likelihood versus 

Consequences 5x5 matrix grid, see Figure - 6 (ref. 13). After all the Risks have been accepted by the 
Risk board or management board they are formally entered into the ePORT. At this time a Risk 5x5 
Summary Matrix can be generated. The data from this matrix allows the severity of the Risk of an 
event occurring to be determined. Here the P/P can designate which list to monitor (i.e. top 10) and 
prioritize the immediate effort to work the more severe Risks first or Risks that can be mitigated the 
quickest, however the P/P chooses. ePORT uses the following criteria to rank Risks: (1) by 

criticality (High, Med, and Low); (2) by worst-case LxC (Likelihood x Consequence) product; (3) by 
composite LxC (sum of each LxC product for cost, schedule, technical and safety consequence); (4) 
by timeframe (near, mid, far); (5) by approach (mitigate, research, watch, and accept); and (6) by 
Risk identification number. 

o Definitions : Through a pop-up page, the P/P selected Risk Definitions are defined (Timeframe - 
Near, Mid and Far) (Likelihood and Consequences - Cost, Schedule, Performance, Safety, etc.) 
(Risk Values - 5, 4, 3, 2 and 1). These definitions are also shown in Figure - 4 above. 
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Figure - 6, ePort Risk 5x5 Summary Grid 


Problems : Contains tools for managing the Problems that are associated with an initiative on a continual 
basis. By selecting [Problems], users gain access to a complete Problems management database to plan 
strategies for handling the initiative’s ongoing Problems. A special note here is that when a Risk 
becomes a Problem, the event has occurred and is therefore moved within ePORT and tracked separately . 
As with the Risks link noted above, Problems also has Add , Index, Status , and Definitions. However, in 
addition Problems has Summary and Issues links. 

o Summary : Lists the Impact Summary in a 3x3 grid relative to the noted Problem's impact in Red 
(high Criticality), Yellow (Medium Criticality) and Green (Low Criticality) versus the timeframes 
Near, Mid and Far. 




o Issues: Lists both the noted 3x3 grid in Summary and the 5x5 (Likelihood versus Consequences) 
Grids for Problems . 

Reports : Allow the user to select specific data and templates to create tailored reports for the accepted 
Risks, Problems and General where the user can select the ability to download the information in either 
portable document format (.PDF) or Microsoft Excel (.xls). 

Help : Contains immediate resources to aid the user in using ePORT. By selecting [User Guide], a new 
web browser window will open and provide access to a web based help guide. By selecting [FAQ], the 
user can view the most frequently asked questions along with their answer or submit their own question. 
By selecting [Comments/Questions], the user can view comments and responses entered to date and 
submit comments, questions or bugs to the administrator. 

Setup : Houses all user-defined preferences that are available to task manager, Risk manager or the 
general users. Users have access to their own user preferences by selecting [My Preferences]. The 
[Risk Admin] section allows the Risk manager to establish the Risk settings for their initiative. 

Sign out: It is a must to always [Sign Out] of ePORT after each session to maintain integrity of the 
user’s initiatives data. If the user’s browser stays idle for more than 20 minutes the user’s session will 
time out and the user will be automatically asked to log back in (ref. 14). 

Conclusion 


In any system the RM process works in maintaining a P/P ability to stay on schedule and within budget. 
The difficulty lies in actually implementing a thorough RM process. Often a P/P Risk Management Plan 
(RMP) is hastily written and then thrown in a comer to gather dust until a Problem occurs. Having a 
thoroughly trained staff and a computer based centralized RM program in place is not only essential but 
imperative for any P/P. In addition to the RM course, one of the steps NASA has taken is to establish a 
Risk management web site that contains sample Risk management plans and a schedule of classes. A 
significant amount of time was spent discussing with managers the benefits of taking a formal training 
course where the costs and time spent is more than recovered by a P/P when all team members are 
working toward common goals in a coordinated manner. In doing so ePORT has proven itself over and 
over as a P/P viable and necessary tool by improving the product line, Center and Corporate management 
insight, simplifying P/P manager reporting processes, and maintaining an archive of data for historical 
reference. 

With the current United States space initiative directive, completing the International Space Station and 
traveling back to the Moon and then to Mars, new technical challenges are being encountered each day. 
NASA has been a leader in the aerospace industry; however, this industry is rapidly changing. High tech 
private adventures are cropping up every day and with the proper tools in place they can succeed. There 
are several commercially available RM tools on the market. A proactive manager of any P/P should 
ensure their teams master these tools. The positive result will show when they deliver products and or 
services that are on time, safe, reliable and profitable. 
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Majoi i eduction hut 
alternatives available 

Unacceptable, no 
alternatives exist 

Safety 

•Ho Safety and Health 
Plan Violation 

•Mo adverse hazard 
or leliahility change 

•Full legulatoiy 
compliance 

■Documented CIL 
•Change in hazaid conti ols 
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Planned Closure Date 


2/15/2009 


Oi 

02;O3 

04 

05 

High Pressure Oxygen Tubopump Turbine Blade Failure 
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Schedule 

Given the failure of a turbine blade at high RPMs can lead 
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0 Mitigate 
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Category 


All Categories v 
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Search 
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Risk Statement 
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Team 

Approach 
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PILOT- 1 -Distress due to Internal Contamination 




Given that objects (contamination) may impact the 
indue er/impeUer, there is a posibility that leading edge 
turbine fractures damage thus reducing the pump margin 

Mo ore-Hartley, 
Pat 

Materials 

Open 

Far 
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and cavitations will occur. 

L/C: 5/4 


Engineering 

Watch 
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Given the vibrations from various sources, there is a 

Coker, Cynthia Open 

Total: 16 

possibility that induced high cycle fatigue in the bearing 
races, rolling elements, and cage will occur. 

Setup 

Mid 

L/C: 4/4 


Testing 

Research 
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PILOT -3-Premature Engine Shutdown 

Given the several conditions exist which could lead to a 

Mullane, Dan 

Open 


premature shutdown of a main engine, there is a 


Total: 12 
L/C: 3/4 

possibility where an unsuccessful recoverable abort will 
occur. 

Reliability 

S&MA 

Far 

Research 

M 

PILOT-4-Hish Pressure Fuel Turbopump f'HPFTF} housing external 
leak/rupture. 



Given the result that defects introduced through 
manufacturing or handling damage may occur, there is a 

Powell, William 

Open 

Total: 12 

possibility that reduced rotor part strength or life will 
occur, 

Quality 

Near 

L/C: 4/3 


S&MA 

Mitigate 
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PILOT -3- High Pressure Oxygen Tubopump Turbine Blade Failure 

Given the Mura of a turbine blade at high RPMs can lead Spurgeon, Open 
to turbine fragmentation, there is a possibility of loss of Jennifer 
containment will occur, Setup Far 

Testing Research 
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PILOT -6- Loss of Thrust 

Given the cryogenic temperature of Hydrogen -420 F) Suttle, Madelyn Open 

in the fUel ducts and pumps, there is a possibility that 
tehy can condense and liquify the Nitrogen in the aft 

compartment on the uninsulated components or on other Reliability Near 

comonents where there are faults in their insulation will 

occur. 

S&MA Research 



Total: 8 
L/C: 2/4 


PI LOT-8- Failure to complete ISSRC 2008 presentation on time 


Given that current work load tasks are increasing, 
there is a possibility that not completing the ISSRC 
2008 on time will occur. 


Johnson, Paul 
Schedule 


Management 


Open 

Near 

Mitigate 


Mod($) Exist 



Total: 6 


L/C: 2/3 


PILOT-7- Low Pressure Fuel Turbopump fl-PFTFl Rupture/Fire 

Given that miscalculations in the engine balance or Grubbs, Rodney Open 
turbopump performanc, there is a possibility that an 

incorrect installation (before flight or during Drawin s Near 

reftirbishments) of an oversized discharge coolant orifice fawm & s 
and overspeeding of the LPFTP will occur. 

Engineering Mitigate 


Draft Risks (Click ou risk title to view. modify ii.sk details) 
Risk ID - Title- 
Risk Statement 

Risk T otal 

L/C 


Owner 

Category 

Team 


Status 

Timeframe 

Approach 
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Total: 6 


L/C: 2/3 


PILQT-7- Low Pressure Fuel Turbopump fLPFTP) Rupture/Fire 

Given that mis calculations in the engine balance or Grubbs, Rodney Open 

turbopump performanc, there is a possibility that an 

incorrect installation (before flight or during D 

reftrrbishment s) of an oversized discharge coolant orifice rawm §* ear 

and overspeeding of the LPFTP will occur. 

Engineering Mitigate 


Draft Risks (Click ou lisk title to view modify lisk details) 
Risk ID -Title- 
Risk Statement 

Risk T otal 

L/C 


Owner 

Category 

Team 


Status 

Timeframe 

Approach 



Total: 6 


PILQT-D-1 - Minimum time between arrival and departure flights 


Given that there is minimum time between arrival and 
departure flights, there is a possibility that any delay in 
an arrival flight a missed connection flight will occur. 


Johnson, Paul 
Safety 


L/C : 2/3 M anagement 

Submitted By: Johnson, Paul 


Open 

Near 

Watch 


Delete 


Modified Risks (Click on risk title to view' modify risk details) 

Risk ID - Title- 

Risk Statement Owner 

Risk T otal C ate gory 

L/C Team 


Status 

Timeframe 

Approach 



Total: 8 


PILOT -M«S-(D- Failure to complete ISSRC 2008 presentation on time. 

Given that current work lo ad tasks are incr e asmg, there J ohns on, P aul 

is a possibility that not completing the ISSRC 2008 on 

time will occur, Schedule 


L/C : 2/4 M anagement 

Submitted By: Johnson, Paul 


Open 

Near 

Mitigate 


Delete 
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Risk Status 


Criticality Risk ID -Title 
L/C Risk Plan 


Approach 


m 

5/4 


PILQT4 - Distress due to Internal Contamination Watch 

The use of materials, design configurations, etc., which generate contamination shall be minimized. Cored 
passages where either the coring matenal or the casting material can generate or become contamination 
sources, will be verified as free from contamination by suitable NDT techniques. All drilled or bored passes 
shall be deburred. A Contamination Control Plan will be provided. 


m 

4/4 


PILOT-2- High Cycle Fatigue Research 

Control Provisions / Reference sVerification: - Turbine airfoil durability analyses have been conducted to verify 
that the airfoils have infinite HCF life (REF: DVS-30, Para. 4.1 .2.5), • The design will comply with additional 
specific vibratory criteria given in the ICD (REF: CPI 1372, Para 6.3.1). - Computational Fluid Dynamics (CFD) 
analyses will be performed to reduce flowpath perturbations. These analyses will be verified through water 
flow visualization and airflow substantiation tests (REF: DVS-30, Para's. 4.1. 2.4, 4.1. 2.6, 4.1.2.11, 4.1.3.2.5.1 and 
4.1 .3.2.5 .2). • Rotor Dynamics Analysis verification shall be considered complete when the specified analyses 
have been completed, when it has been established that the worst operating conditions have been considered, 
and when the verifications tests listed in tables on pages 41 and 42 of DVS-30 have been met (REF: DVS-30, 

P ara. 4. 1 .2 . 1 0) . - Analy s e s will b e verifi e d through detail p art and sub as s embly te sts (REF : DVS-30, P ara.' s 
4.1. 4.1. 8.2 and 4.1 .4.2 4.1). 


M 


3/4 


PILQT-3- Premature Engine Shutdown Research 

- Redline limit inhibit is documented in the integration hazard analysis. - Engines and major components are 
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4,1 ,3,2 .5, 2), - Rotor Dynamics Analysis verification shall be considered complete when the specified analyses 
have been completed, when it has been established that the worst operating conditions have been considered, 
and when the verific ations te st s liste d in table s on p age s 41 and 42 of D VS-30 have been met (REF : D VS-30, 
Para. 4,1.2,10). - Analyses will be verified through detail part and subassembly tests (REF: DVS-30, Para.'s 
4.1, 4.1. 8, 2 and 4.1.4.2.4.1). 


PILOT- 3- Premature Engine Shutdown Research 

- Redline limit inhibit is documented in the integration hazard analysis. - Engines and major components are 
green run accepted at a thrust profile which incudes 50 seconds at 109%. - Develop a test plan to assest all 
command input failure scenarios. 


PILQT-4- High Pressure Fuel Turbopump fHPFTFl housing external leak/rupture. Mitigate 

P&W Engineering Source Approval for manufacturing processes & materials in manned rocket programs is a 
system established by Engineering for the control of certain parts, materials and processes where 
characteristics vital to the performance or integrity of the parts, materials or processes cannot be completely 
defined in a manner suitable for inspection purposes and must therefore be assured by procurement from 
sources which have demonstrated, to the satisfaction of Engineering and QA, the ability to produce the 
necessary characteristics. REF: PWA 371 Engineering Source Approval for Manufacturing Processes & 

M aterials in M a nne d Ro eke t Pro grams . 


PILQT-5- High Pressure Oxygen Tubopump Turbine Blade Failure Research 

Turbine airfoil durability analyses needs be be conducted to verify that the airfoils have infinite life. 


PILQT-6- Loss of Thrust Research 

No research plan provided. 


PILOT -8- Failure to complete ISSRC 2008 presentation on time. Mitigate 

Work diligently to ensure ISSRC 2008 presentation is completed and submitted to management for final 
approval. 



I 




PILOT -7- Low Pressure Fuel Turbopump (XPFTFl Rupture/Fire Mitigate 

Review Sewings and sizing and installations of the F7 orrifice and adjust per specifications. 
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Open 

Total: 20 
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Materials 

Far 

L/C: 5/4 
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Suttle. Madelyn 
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Given the cryogenic temperature of Hydrogen ( — 420 F) in the fuel ducts and 
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all compartment on the uninsulated components or on other comonents where there 
are faults in their insulation will occur. 
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Research 
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PILOT-8 - Failure to complete ISSRC 2008 presentation on time. 

Johnson. Paul 

Open 


Total: 8 

Given that current work load tasks are increasing, there is a possibility' that not 
completing the ISSRC 2008 on time will occur. 
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Open 
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possibility that an incorrect installation (before flight or during refurbishment*) of an 
oversized discharge coolant orifice and overspeeding of the LPFTP will occur. 
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Mo ore-Hartley, Pat 

Open 

Total: 20 
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Materials 
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Watch 
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PILOT-2 - High Cycle Fatigue 
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Given the vibrations from various sources, there is a possibility that induced high 
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PILOT-3 - Premature Engine Shutdown 
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Given the several conditions exist which could lead to a premature shutdown of a 
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Mitigate 
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PILOT-5 - High Pressure Oxygen Tubopump Turbine Blade Failure 

Spurgeon, Jennifer 
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Given the failure of a turbine blade at high RPMs can lead to turbine fragmentation. 
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Research 
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problem, mikoouf tcvmui , ewiramirnttf fiupfet, feilur* to 4dii*v* 4 n**d*d < cittttiflc or udatologiod 
bftrkttaaugi or miff ion fucc*<* criuru) **vd th* «iw«nmtw iurn^ , <-f fW^Y tfth* und**ir*d *v*ra, 
i**r* it to occur. 


LIKELIHQ OP -th* probability thttthi risk win occur. 


C ONSBOUBNCE - th* lo« or «ff*ct on th* progrcmAxrofect if th* risk occurs. 


TIMEFRAME - ttue period when action mist b* taken to handle th* risk mitigation plan. 


COST - 4 progrtm^irojtct cost it *u* that <te*cttytfndlr*ctjy inpacts th* program^nojaa budget. 
SAFETY - 4 program^crojtct safety issue that dirtety inpacts th* progrtm^xroject. 
SCHEDULE - a program/projart schedule issu* that directly inpacts the programproject. 



T 

The time period to mitigate the risk. 

X 

M 

E 

f/i$) 

Near - within the next 3 months 

F 

R 

A 

Mid-Term - between 4 - 8 months 

M 

E 

V^djer^y 

Far - beyond 8 months 


LEGEND 


High - Imp lenient new processes or change baseline plans 

— 

Moderate - Aggressively manage; consider alternative process 
Low - Track and Monitor 


What is Me likelihood Me situation or circumstance witt happen? 

Leys/ 

Probability 

...or the current process ... | 

5 

Very High 

cannot pi even this event, no alter native 
approaches or processes ate available. 

4 

High 

cannot prevent this event, but a different 
appioach or process might. 

3 

Moder ate 

may prevent this evert, but additional actions 
will be tequbed. 

2 

Low 

Is usually sufficient to prevent this type of 
event. 

1 

Very Low 

is sufficient to prevert this event. 



Sample data. - What Is the Consequence (Cost, Schedule, Safety, or Technical) of this Risk? - Sample data 



Level 

1 

2 

3 

4 

5 

c 

Cost 

Minimal or no Impact 

Budget Increase < 5% 

Budget Increase > 5% 

Budget Increase >10% 

Budget Increase >15% 

0 

N 

S 

Schedule 

Minimal ot no Impact 

Additional activities requited. 
Able to meet date. 

Key Program Milestone Slip- -1 
Month 

Key Program Milestone 
Slip>1 Month, or Program 
Critical Path impacted 

Cannot achieve Major 
Program milestone 

E 

0 

U 

N 

C 

E 

Technical 

Minimal ot no bnpact 

Moderate reduction, same 
appi oached letained 

Mode* ate reduction but 
alternatives available 

Major reduction but 
aRet natives available 

Unacceptable, no 
alter natives exist 

Safety 

•llo Safety end Hetfth 
Plan Violation 

•llo adveieehazaid 
oi leliability change 

•Full i egulatoiy 
compliance 

•Documented OIL 
•Change in hazard controls 
but no inciease in PRA 
•Minoi violation of Federal or 
State regulations 
■<10% decrease in reliability 

■CIL without acceptance rationale 
■Change in hazard controls Int 
with inciease in PRA 
■Violation of Federal or State 
regulations 

*10-20% decrease in reliability 

•Major but temporary injury 
■Potential damage to assets 
■Multiple violations of 
Federal or State regulations 
•>20% decrease in 
reliability 

■Potential for permanent 
injury or death 
■Loss of Critical assets 
■Willful or major 
violations of Federal or 
State t egulations 



Program/Project Risk Definitions 


. 

NASA 


RISK; A Risk is characterised by the oombinvion of the >robabilty' , thatihe ProanwrVRojeci will expemnoe w\ indesired evert (cost, 
schedule, safsy efteohnteaD artithe 'boreeqmnees, impart orfeverty" of the urdasired evert , were I to occur. Al Risks must be sction*le. 

RISK MANAGEMENT: Risk NtanagefTiert (RM)e a oortinuoug . iterative process to manage Risk in orderto a?h»ve mission success RM 
use a st act tied team aril wlh all asfcehoklers . I should be a key eMmert and an irtegnl pvt of rormal Progrvn/Rojeot marag«mert and 
engineering processes 


IDENTIFY 


2 ANALYZE 


3 PLAII 


4 TRACK 


5 CONTROL 


•4-6 COMMUNICATE 
AND DOCUMENT 


A, Bktl, Mohtllootoh 4 h 4 monogomrhttaetm^cIhCliHo: bu 4 g 4 %r , ro vlo AC • ,portln%r vlo* C, ton4 Ah OlydC «T 
motiOb OOmporUOh OTgoolA 4h4 plOht Hogiom Pio!ootfchi,404l C0h4l/dC4h4 10 vlo*t, oiiglhooilng onolyCU 
0h4 t*40 OtHItC. 

a Foyoroot to oooooo taolu 4o: bu4 got, rogulromonte %ohnology, m 4 lit) gom on t onglnoorlng cii pp or% bill ty, 1 4 gl do c 
Oh4 InOlhtohOHOO. OpOhfttOhC. MlTt,. pt v0l4hthi4lo. Oh4 P OlltlOOl. 

C. Ihftimoton dourooo: Hoc Motor Icol 44 %. rooourooc, oipplloro, plonc, propo<*4 oliongoc, toctroculteU 

ton & I4«r 4 1 on gl won to ol I fa» uroo t *i 14# n*lT,l h 0 Fit* 

A. Ft I II III 40lfellO4 ON 0 lN« 41 ( 1)0 41141/ J. IllO lU 4lll 0 tOh40h4 04 N <J 1 vlt> 4 nOl/ClC, 4 C OppLOpHOtO. 

a botormlno tiro II boll bo o4 or 0.4 o vont. 

C. D4%l mlh4 n«4 l%h»'COONC41U4hOOt: 

t. $o»ly taolu4oo:lmpooto to hoolt* or «*t, orp4r connoIoio a or 4 4hi4g4 % pro port*. 

5. Nrtormonoo • Ml colon Suooo ct« taolu4oc: toolmlooi porformonoo; oporotonc; roiulro monte Iccuoc; logic toe, 
molntononoo on 4 cup poi totality; on vlro Nmo Ntol Ittuo t; or go noroll y omotcrnlcdon oblootvoc, 

I. C*«tlnolu4oo: Mogrom.‘Hoiootbu4gotor rotourooo. 

4. ttoho4 ulo I nol u4o t: Im poo to to pio loot mllo c% no • or to ho 4ulo i 

Cl Moo4 % ln%aro% lllo Ittuoo l<b c to gotiioi % onoly* ou mu lot vo 4 i»o tt t"t n4 cim Hot tin 44 4 c" t 

K 0oo4 % l4on Ilf, oil pro up c of%ot»4 b, %!c il<b toll 4 000 % 4 portooi 

f Hot tio Mob on o FlCb Mtth. 

fetor f to Mob on4 onolyao 4o% In to %o Mob 4o%booo. 

•- G»t*4 on OhOlydO ft.g., t*4o ctoHIOt, 0 %. \ l4ontty tbo boct Mb 14 004 ton Mon. 

a Covolop %o Fit* Ul*l 04 Ion Mon to ro4uoo llbollhoo4 orooourtonoo on4.'or ro4uoo co vorttyorooncoguonoocby 
olttor to4o i *0 hln g. mo 41 vying ro gu Uomo n to, oo gulfing o4 41 to nol ro ooutooc. ougmo n0ng toctor voHtooton, 
oporotonol *orborouh4t, orronogototng aIHi c%bohol4ort Potty oil or»o%4 porto o *lti oliongocor t%tio 
Up 44% * on 4 II II*. tromln tio 44 %b 4«0 it 4 H 0 IT 0«%4 0*04 hi atlonctoboh 01401. 

C. Do volop o on t ngo no y plo n fctoUb oob plon «. 

Cl Foo v m mon 4 o oco lot n g Mob to big Not boot 4.ponol. 

E Aro tho mlt 00 to n plon 0 o4 04 uo% t 

F. Alton 0 Mob oonnotbo 0 ilolonty r*4uoo4Anltgoto4 ony tirtior, 00 n <* 4or 0000 p 0 n 0 tbo Mob. 

A. A4t.h 411 4 toob tio Mob Attlbu1»6on4 Mltgoton Mono. Art plont Doing por%rmo4 In 0 Pmoly monnor on4 I c0io 
bit got on Mon * orbing or 4o yowNoo4 % go to %ro %llboob plon? 

a up4o% M <b 44 %bo to 0 c rol 0 % 4 4o% oro oogulrod, oompllo4, onoiyag, on4 .tr ro porto 4. 

t Uoo teobtag report* to oomm uulooto mermotoh iguonttotovo ond/or guoll%lvo troguir»4 tor omolv* oontol 
4oolPono. 

D. Mob tooling thouie include uc* or mo tic 1 

A, Uco prooooco t In *McN 440 I don coro mo4o bo 00 4 on tlio 4o% pro con to 4 In tio tooblng report 1 Title on euro c hot 
tio FI 0- I 0 OOhtlhttOlly on 4 OT»OtvOlym4nO0O4. 

a Cool cion c 410 bo «o4 on ourrontln»rmoton 00 *oll 00 otpoHonoo on 4 mucto4opt% onyohonglng oon4itoni 

O. M J 4ooIPonc on 4 0 urton t mooh onlom « oboul4bo ln%gro%4 olti c%n4or4 Progrom.'Molootmonogomont 
prootoot 

a Util 34 tooblng 4o% % 4o %r ml no bo* to pr 0000 4 Altli Ml «b fO*o»o. oontnuo tooling on 4 oioouton %io ourront 
plon . 10 -plo n. or In vobo 0 00 n0n gono , pi on v 

1 Oottt gg or potato or tbrocHoHo ®r *o%bo4 Hdt- *bon M«bnoo4o % bo roo voluo%4. 

A. Movl4o taermoton on4 %o4boob to tio M ogi om.'M o|ooton Pl«b ootvltoo, Htb o%tuo, on4 po%ntol no* Mole. 

a Ehiuio ti o 4 00 unto ntot on on 4 viability or M<b InvrmoPon tor bot%r monogomonton4 In % grot on. 

C Bi%r oil Mob 4o% I nol u4lng ourront t%tuoon4 mltgoton plonolnto tao M«b 4o%bo«o. 





NAtonu Aeronauts* Ana 
Sp*c* Administration 


MARSHALL SPACE FLIGHT CENTER 

Continuous Risk 
Management (CRM) Training 
Processes and Solutions 


Communicate 

Document 




Plan 


inte.rnatiQnai System Safety Regional Confer 


National Aeronautics and 


Administration 



'OvV 



International System Safety Regional Conference 2 


Additional NASA/Contractor ^ 

CRM Programs In Use 

> IRMA - Integrated Risk Management Application 

* international Space Station (ISS) 

* Constellation Program (CxP) 

* SIRMA - Shuttle Integrated Risk Management Application 

♦ ARM - Active Risk Manager 

* NASA Headquarters (HQ) 

> EVM/RM - Earned Value Management and Risk Management 

* Facilitates the CRM process 

*> Risk Control - Rocketdyne 

♦ Many more... 


National Aeronautics and Space Administration 



International System Safety Regional Conference i 


Quote 

♦ ePORT History 

♦ Continuous Risk Management Process 

♦ ePORT - Project: PILOT 

♦ Things To Think About 


< x Q&A 


National Aeronautics and Space Administration 
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